From owner-freebsd-security  Tue Sep  3  7:50: 0 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BBE2937B400
	for <security@freebsd.org>; Tue,  3 Sep 2002 07:49:49 -0700 (PDT)
Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2DD6343E4A
	for <security@freebsd.org>; Tue,  3 Sep 2002 07:49:49 -0700 (PDT)
	(envelope-from mike@sentex.net)
Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18])
	by obsidian.sentex.ca (8.12.5/8.12.5) with ESMTP id g83Enjv3062819
	for <security@freebsd.org>; Tue, 3 Sep 2002 10:49:45 -0400 (EDT)
	(envelope-from mike@sentex.net)
Message-Id: <5.1.1.6.0.20020903104701.0591bc10@marble.sentex.ca>
X-Sender: mdtpop@marble.sentex.ca
X-Mailer: QUALCOMM Windows Eudora Version 5.1.1
Date: Tue, 03 Sep 2002 10:50:02 -0400
To: security@freebsd.org
From: Mike Tancsa <mike@sentex.net>
Subject: FreeBSD IPSEC connection to a Cisco Router using ESP (FAQ
  submission)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Virus-Scanned: By Sentex Communications (obsidian/20020517)
X-Spam-Status: No, hits=0.0 required=7.0
	tests=none
	version=2.31
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org



Question: How do I setup an IPSEC ESP Tunnel between a Cisco router and FreeBSD

AN Answer:

OK, I have seen a few people ask this question, but I had not found via the 
search engines a sample config on how to setup an IPSEC tunnel between a 
FreeBSD box and Cisco router. We had a customer over the weekend wanting to 
do just this, so I figured I would post the setup here in case anyone else 
wanted to do something like this.



Given the following setup
FreeBSD-------------------<Internet>-------------Cisco
192.168.100.9/24 and 1.1.1.1/30		2.2.2.2/30 and 96.0.0.1/24

i.e. 2 machines connected to the Internet, at distant locations-- FreeBSD 
box has 1.1.1.1/30 as the public address (i.e. NON RFC 1918) and the Cisco, 
2.2.2.2/30.  The goal is to setup a VPN tunnel between the two using an 
IPSEC connection with AH and ESP.  For the setup, I used an old Cisco 4700 
with only DES encryption.  Note, it is recommended that you use something 
stronger like 3des in a production environment.

On the Cisco we have the following config.
4700-router#show run
Building configuration...

Current configuration : 1991 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 4700-router
!
boot system flash c4500-jk8s-mz.122-10b.bin
aaa new-model

!
ip subnet-zero
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 6000
crypto isakmp key donttell address 1.1.1.1.
crypto isakmp key donttell address 2.2.2.2
!
crypto ipsec security-association lifetime seconds 6000
!
crypto ipsec transform-set MB esp-des esp-md5-hmac
!
crypto map FreeBSDIPSEC-MAP 1 ipsec-isakmp
description My customer site called MB
set peer 1.1.1.1
set transform-set MB
set pfs group2
match address 109
!
!
!
!
interface Ethernet0
ip address 96.0.0.1 255.255.255.0
media-type 10BaseT
!
interface FastEthernet0
ip address 2.2.2.2 255.255.255.252
half-duplex
crypto map FreeBSDIPSEC-MAP
!
ip classless
ip route 0.0.0.0 0.0.0.0 2.2.2.1
no ip http server

!
access-list 109 permit ip 192.168.100.0 0.0.0.255 96.0.0.0 0.0.0.255
access-list 109 permit ip 96.0.0.0 0.0.0.255 192.168.100.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
!
end

4700-router#
On the FreeBSD side, we have the following
script, 00_ipsec.sh you can put in /usr/local/etc/rc.d


#!/bin/sh

case "$1" in
start)
         setkey -F
         setkey -FP
         setkey -c <<EOF
        spdadd 192.168.100.0/24 96.0.0.0/24 any -P out ipsec 
esp/tunnel/1.1.1.1-2.2.2.2/unique ;
        spdadd 96.0.0.0/24 192.168.100.0/24 any -P in ipsec 
esp/tunnel/2.2.2.2-1.1.1.1/unique ;
EOF
         ;;
stop)
                 setkey -F
                 setkey -FP
         ;;
*)
         echo "Usage: `basename $0` {start|stop}" >&2
         ;;
esac

exit 0




remote anonymous
{
exchange_mode main,base,aggressive;
doi ipsec_doi;
#situation identity_only;
my_identifier address 1.1.1.1;
nonce_size 16;
lifetime time 6000 sec; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim

proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}


sainfo anonymous
{
pfs_group 2;
lifetime time 6000 sec;
encryption_algorithm des,3des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

And dont forget to add
2.2.2.2	donttell
to /usr/local/etc/racoon/psk.txt

In terms of interfaces, we just have the 2... No gif.  To bring up the 
tunnel, make sure you do a ping specifying the source address
e.g.
ping -S 192.168.100.9 96.0.0.1
or just generate something from behind the FreeBSD box.

	---Mike
--------------------------------------------------------------------
Mike Tancsa,                          	          tel +1 519 651 3400
Sentex Communications,     			  mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada			  www.sentex.net/mike


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message